Autopsy 4.16.0 is out and has a lot of new enhancements and fixes. You can see the detailed list and get the downloads from here. This blog highlights a few notable new features and themes.

Flag Cloud, CryptoCurrency, and Other Files

Autopsy will now alert you to the existence of cloud synchronization programs, CryptoCurrency wallets, encryption programs, and VPN programs using its “Interesting Files” ingest modules. This general capability has always been in Autopsy, but we are now shipping with rules instead of relying on you to make them.

You’ll see them as options on the right when you configure the Interesting Files module:

You’ll see the results in the Results part of the tree. It’s important to point out that we are not parsing any of these files. We’re just making sure you are aware of them.

If you’d like to contribute rules back to help your colleagues, we have a page that describes how to get rules back to us so that we can incorporate them.

Streaming Ingest

When you add a disk image to a case, Autopsy will now start analyzing the files faster. This will get you results even faster than before.

In previous versions of Autopsy, there was a discrete phase where Autopsy would use The Sleuth Kit to enumerate all of the files and add a row for each into the database. Once all files were added, the ingest pipelines would start and analyze the files based on a priority order. We call this batch processing since it ended up analyzing all of the files in the DB.

The challenge was that sometimes it took a while to enumerate all of the files on large systems and you were stuck waiting for it to find every file before you got any hashset or keyword hits. Another problem was that if you added a disk image and were already analyzing one, then the analysis would pause while the disk image was being added.

Now, Autopsy will add small sets of files to the database as it enumerates them and they will be immediately scheduled for analysis. So, now you can start to get hashset hits and such while files are still being enumerated. We call this stream processing because files are added to the scheduler as they are found.

This change has no process impact on users or ingest module writers. It’s all transparent. If you are a developer making a DataSourceProcessor module and you want to make your module streaming, then you’ll need to implement runWithIngestStream.

Personas in the Central Repository

The last new feature to highlight is Personas, which allow you to group accounts and assign a name to them in the Central Repository. The Central Repository stores info from your past cases and allows you to correlate with past cases and prioritize your data.

The Persona feature allows you to link accounts together and assign a name. For example, you may know that a phone number and email address are used by the same person based on a contact book entry. Previously, that linking could not be stored in the Central Repository. Now it can.

This feature is most useful for those doing long-running investigations that involve multiple parties and cases. For example, a drug ring or gang investigation.

When Autopsy shows accounts as part of call logs or messages, it will try to resolve that account to a name using the Persona feature. From this panel, you can create a Persona if one is not defined for that account.

You can manage personas from the “Personas” item in the Tools menu.

This is the initial release of an evolving feature and will have incremental enhancements in future releases.

Get The Latest Version

You can get the latest version of Autopsy from here. To learn more about Autopsy and other open source tools, sign up for our annual OSDFCon conference in November. Registration is free this year for the virtual event.